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Dear Department of Health, 


RE: Public consultation on the introduction of a statutory Duty of 
Candour in Northern Ireland 


Thank you for inviting the Information Commissioner's Office (ICO) to respond to 
the above consultation. 


As you will be aware, the Information Commissioner’s role includes the regulation 
of the Data Protection Act 2018, the UK General Data Protection Regulation (UK 
GDPR) and the Freedom of Information Act 2000 (FOIA), among other pieces of 
legislation. Given our role as a regulator, it would not be appropriate for us to 
respond with a view on the different questions and options proposed within the 
consultation document. However, there are data protection and information 
governance implications in the proposals which we have raised below for your 
consideration. 


Data protection law provides individuals with a number of rights, including the 
rights to be informed about and access information held about them by 
organisations (Known as a subject access request, or SAR). The Freedom of 
Information Act provides access other types of information held by public sector 
organisations in order to aid transparency and support democratic 
accountability. The Duty of Candour would require organisations providing health 
and social care to respond openly to questions and tell people involved if an 
incident has taken place in the course of their care or treatment that has caused 
physical or psychological harm. 


The proposed Duty of Candour appears to enhance transparency for people in 
relation to their care and the principle is welcomed accordingly. As the regulator 
for FOIA we are keen to see public authorities being open and transparent about 
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the decisions they take. Introducing a duty of candour builds on the transparency 
requirements of FOIA. 


UK GDPR - Article 36(4) Statutory Requirement to Consult ICO 


Given the statutory nature of the proposals, it is important to firstly draw your 
attention to Article 36(4) of the UK GDPR which requires government 
departments and other public sector bodies to consult with the ICO on policy 
proposals for legislative or statutory measures relating to the processing of 
personal data. As your policy proposals are for a Duty of Candour, it is highly 
likely that this will trigger the need for consultation with us under Article 
36(4). The DCMS guidance on the consultation process under Article 36(4) is 
available here, alongside the Article 36(4) Enquiry Form which will need to be 
submitted to our legislation consultation mailbox: legcon@ico.org.uk. Your 
Departmental Data Protection Officer will be able to guide you through the 
process. 


If, having reviewed your Enquiry Form, we decide that further 

consultation with you is required, we may ask to view your Data Protection 
Impact Assessment (DPIA) regarding the policy proposals. Please note that the 
DPIA published as part of the consultation documentation would not suffice in 
this regard as it is a DPIA specifically on the consultation exercise, rather than an 
assessment of the personal data implications of your policy proposals. 


In the meantime, below we have briefly set out a few key data protection related 
considerations pertaining to the current consultation documentation: 


e Duty of Candour and disclosure of personal data 


In depth consideration will need to be given in development of the Duty and 
associated guidance on how and when it will be appropriate to process 
and publicly release personal data. 


It is worth noting at this point that Data Protection laws only apply to data about 
living individuals. The Duty of Confidence is also likely to apply to much health 
and social care data, and this may continue beyond death. 
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Other considerations of disclosure relevant to this consultation include: 


Right of access -UK data protection law provides individuals with a number 


of rights, including the right to obtain a copy of their personal information held 
by an organisation (commonly referred to as subject access). 


The rights under data protection are not absolute, and a limited number of 
exemptions may apply to the right of access. Organisations processing health 
data may, in narrow circumstances, rely on the serious harm exemption to 
withhold disclosing an individual health data where it would be likely to cause 
serious harm to the physical or mental health of the data subject or another 
individual. 


Third party data- When considering an individual’s right of access and potential 
disclosures, you must consider the third party data and individual rights of those 
persons. In the practical application of a duty of candour, it is likely the names or 
job titles of health and social care colleagues could be disclosed. Furthermore, 
the Data Protection Act 2018 clarifies that in response to a valid SAR, it is 
reasonable to disclose the identity of health / social care professionals who have 
contributed to the health record or been involved in the care of the individual. 


A record should be kept by the controller of any decision to disclose or withhold 
information about a third party. 


Appropriate privacy information should be provided to health and social care staff 
where their personal information, such as name or job title, is likely to be 
disclosed in the release of personal information by way of subject access 

request or fulfilling the requirements of the duty of candour. 


e Access to relevant records and documents 


Section 5.26 of the consultation document outlines the processes to be followed 
when a serious incident has occurred and harm or death has been caused. One 
of the steps is to ensure that the service user or their next of kin have “access to 
relevant records and documents” to afford them an opportunity to participate in 
any subsequent investigation or review of the incident. It will be important to 
clarify the legal access route by which such information will be provided, for 
example, the Duty of Candour legislation should be written to explicitly set out 
what individuals are entitled to by way of records and documents as part of this 
process to ensure there is no ambiguity over the legal route of access being 
relied upon for this data sharing. 
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e Proposed criminal offences regarding handling of information 


Sections 4.30 and 4.31 on Alternative Proposal (B) outline a statutory individual 
Duty of Candour without criminal sanctions for breach, and with separate 
criminal offences for withholding information, destroying information, or 
providing false or misleading information, and separate criminal offences which 
relate to the destruction of personal data within health records or deliberately 
falsifying personal data within health records. Consideration should be given to 
how these offences interact with the existing provisions contained within Section 
148 of the Data Protection Act 2018 which pertain to destroying or falsifying 
documents and also carry criminal sanctions. 


e Guidance for Organisations 


It will be important for any supporting guidance about the Duty of Candour to 
help organisations understand the data protection and Freedom of Information 
implications for them. Ensuring organisations are clear whether they are data 
controllers or data processors is a vital step, plus alerting them to any risks that 
you have identified in your DPIA for local mitigations. 


We hope the above feedback will be useful to look forward to receiving 
your Article 36(4) enquiry form as soon as convenient to ensure the consultation 
process is as meaningful as possible. 


If you have any further queries in relation to the comments above, please feel 
free to engage with our Northern Ireland Regional Office. 


Yours faithfully 


Caroline Mooney 
Regional Manager, ICO - Northern Ireland 


